1. Introduction
Underpinned by the new generation of information and communication technologies, such as cloud computing, big data, and artificial intelligence, the internet of vehicles (IoV) comprises vehicles, roadside units, cloud servers, and other devices. The IoV enables intelligent traffic management, dynamic information services, and vehicle automation through multidimensional interactions among vehicles, individuals, and roadside environments [
1,
2,
3]. The IoV enhances the safety and comfort of daily commuting. Data sharing and utilization within IoV scenarios are pivotal for enhancing vehicular services. The voluminous amount of data interchangeably shared among vehicles, road infrastructure, and cloud systems is intricately intertwined with people’s daily lives. Given the open operational landscape of the internet of vehicles (IoV), transmitted information is susceptible to various forms of attacks, including interception, forgery, eavesdropping, and tampering by malicious entities. These data encompass a significant quantity of sensitive information, and their compromise could result in direct adverse consequences for users [
4,
5,
6]. Given the escalating number of vehicles and the expansion of national road networks within the IoV, alongside the increasing participation of collaborative computing devices, ensuring the security and integrity of data transmission during efficient data sharing has emerged as a paramount research concern [
7,
8]. The architectural depiction of the IoV is illustrated in
Figure 1.
Secure multiparty computation (MPC) is a computational model designed to safeguard the privacy and data security of multiple participants engaged in collaborative computations. It enables a set of parties to interact and compute joint functions of their private inputs, revealing only the output [
9]. Data resources have become a critical competitive advantage across various industries, and the same holds true for the internet of vehicles domain. However, due to the lack of uniformity between data owners and users, issues such as data security and personal privacy are increasingly exacerbated. Secure multiparty computation (MPC) technology can simultaneously ensure the privacy of data inputs and the correctness of data computations. Furthermore, it can guarantee, through protocols, that the input data of participating parties in computations remains undisclosed even in the absence of a third party [
10,
11]. Multiparty homomorphic encryption (MHE) is a category of solutions within the realm of secure multiparty computation (MPC). It extends traditional single-party homomorphic encryption schemes to multiple participants. Existing generations of MHE schemes have evolved from traditional homomorphic encryption schemes through expansion and refinement. With the emergence of the latest generation of MHE schemes based on the Learning with Errors (LWE) framework [
12], various variants of this approach have subsequently proliferated. In order to further enhance the efficiency of MHE schemes and reduce communication overhead, threshold access structures have been applied in this approach [
13,
14,
15]. Researchers have applied MHE schemes in federated learning [
16] to safeguard sensitive data [
17,
18]. The MPC constructed by MHE is primarily divided into two stages, comprising a one-time setup phase and a subsequent phase capable of executing an arbitrary number of functional evaluations post-setup completion [
19]. During the setup phase, all parties jointly execute specialized multiparty protocols to generate public keys suitable for homomorphic operations. These keys are then distributed to each party through secure channels along with their respective secret keys. During the functional evaluation phase, parties first encrypt their respective data using the public keys, generating ciphertexts. Subsequently, computations are performed on these ciphertexts leveraging the properties of homomorphic operations. Finally, through multiparty protocols, parties collaboratively recover the private keys from the distributed secret keys and use them to decrypt the ciphertexts. Our proposed multiparty homomorphic encryption scheme is capable of completing both the one-time setup phase and the functional evaluation phase. Moreover, regarding the issue of private key exposure after ciphertext decryption, we address this by refreshing the public–private keys through multiparty protocols, enabling successive rounds of the functional evaluation phase without the need for reinitialization.
In the internet of vehicles (IoV), the use of secure multiparty computation (MPC) technology enables the secure sharing and computation of data among IoV terminal devices. Considering the challenges posed by low transmission efficiency and poor network quality in the open application scenarios of IoV, our proposed solution boasts high efficiency and low communication overhead, thus alleviating such issues. The conceptual diagram of secure multiparty computation in the internet of vehicles is illustrated in
Figure 2.
Our Contributions
In recent years, our work has primarily focused on the processing of privacy data in the IoV [
20] and its application in federated learning [
21]. In our previous work on emergency vehicle identification based on federated learning and homomorphic encryption, we relied on a trusted third party for key distribution. This study addresses this issue by modifying the homomorphic encryption scheme. By integrating the homomorphic encryption scheme with the span program without the involvement of a third party, privacy protection and efficient computation among multiple vehicles are achieved. The main contributions are as follows:
This paper presents an asymmetric homomorphic encryption algorithm based on the conjugate search problem and the discrete logarithm problem. Building upon this scheme, a novel multiparty homomorphic encryption scheme is constructed, consisting of four phases: construction, computation, recombination, and refreshing. This scheme enables secure computation among multiple vehicles without the need for a trusted third party, ensuring that privacy inputs are not disclosed. Moreover, the homomorphic properties of the encryption scheme allow ciphertext operations to satisfy both addition and multiplication.
In the semi-honest model, the utilization of the span program for the private key partitioning in the multiparty homomorphic encryption scheme ensures that only the authorized coalition of vehicles can jointly reconstruct the private key. This measure prevents excessive centralization of the key, thereby achieving risk diversification and intrusion tolerance objectives, and consequently thwarting unauthorized access. This approach reduces potential security risks, safeguards the integrity and privacy of the vehicular network, and alleviates communication pressure within the IoV.
We conducted comparative experiments of our proposed scheme within the architecture of the IoV against mainstream solutions, revealing significant advantages in terms of communication overhead and computational costs. Additionally, we applied our scheme in federated learning [
22] in the IoV. Addressing the data leakage issue inherent in gradients in federated learning [
23], we encrypted the gradients during transmission using our scheme, thus preventing gradient leakage while achieving correct aggregation of gradients from multiple vehicles [
24]. Theoretical analyses and experimental evaluations collectively demonstrate the effectiveness of our proposed solution.
Organization: The remaining content of this paper is structured as follows.
Section 2 introduces the basic concepts required for asymmetric encryption schemes and other related definitions.
Section 3 provides a comprehensive overview of the proposed multiparty, fully homomorphic encryption scheme and conducts a security analysis of the scheme. In
Section 4, a comparison of existing schemes is presented from both theoretical and experimental perspectives, along with a performance evaluation in federated learning experiments. Finally,
Section 5 concludes the paper.
2. Preliminaries
This section will introduce the fundamental concepts and basic definitions required for asymmetric encryption schemes. Firstly, we will present the basic definition of the computational search problem (CSP) [
25], which, due to its noise-free operations and post-quantum security, holds significance in post-quantum cryptography [
26]. Next, we will elaborate on the discrete logarithm problem (DLP), a crucial concept in number theory and cryptography [
27]. Subsequently, we will define the adversary model within the system. Finally, we will describe the correctness and security proofs of asymmetric encryption algorithms based on the CSP and DLP, as well as the span program.
2.1. Basic Definitions
Definition 1. (Conjugate search problem—CSP): Given a non-Abelian group
, and , , , where , is an unknown element, and is a conjugate of with respect to , it is difficult to find when and are known. The conjugate search problem (CSP) is a problem in group theory. Let be a polynomial time algorithm with input security parameter and output a non-Abelian group of order . If the conjugate search problem of is hard, then for all probability polynomial time (PPT) adversaries , the following formula is negligible:
If the elements in are matrices, the security can only be guaranteed by a square matrix of more than 4 orders [28].
Next, we proceed to establish a non-Abelian group in the encryption scheme, utilizing 6th-order matrices as elements. Its form is as follows: In Formula , the symbols , and represent 2nd-order matrices.
Definition 2. (Discrete logarithm problem—DLP): Given a group , where is a generator of the group and is a random element in the group, computing is difficult. Let be a polynomial time algorithm with input security parameter
and output a cyclic of order along with one of its generators . If the discrete logarithm problem of is hard, then for all probability polynomial time (PPT) adversaries , the following formula is negligible: Definition 3. (Decisional Diffie–Hellman assumption—DDH assumption): Let be a group of prime order , where is a generator of , and . For the following two distributions, the quadruple and the random quadruple are computationally indistinguishable, termed as the DDH assumption. That is, for any probabilistic polynomial time (PPT) adversary , the advantage of adversary in distinguishing quadruple from random quadruple , defined as , is negligible.
Definition 4. (Indistinguishability under the chosen plaintext attack game—IND-CPA game): The formal description of the indistinguishability game under chosen plaintext attack in a public-key encryption scheme is as follows, where the triplet representing the encryption scheme is and denotes the security parameter: For a PPT adversary , random guessing of also has a probability of winning of . Therefore, the advantage of breaking the semantic security of the encryption scheme by using the chosen plaintext attack is defined as: Definition 5. (IND-CPA security): For any PPT adversary , there exists a negligible function with parameter , denoted as , such that the advantage . Then, the encryption algorithm is considered IND-CPA-secure, meaning it is indistinguishable under the chosen plaintext attack.
Definition 6. (The semi-honest model): The semi-honest model (also known as the “honest but curious” model or passive attack model) is an important theoretical framework for evaluating and constructing cryptographic security protocols. This model assumes that all parties involved in the protocol will strictly follow the steps stipulated in the plan to carry out a series of operations, but the participants may attempt to obtain additional data through computational reasoning during the execution process.
To determine whether the scheme conforms to the security under the semi-honest model, the ideal/real model in cryptography is usually adopted for its formal analysis. The ideal/real model is a security analysis method based on simulation. In an ideal world, there exists a simulator that can generate a view indistinguishable from the execution of real protocols merely based on the input and output of legitimate participants. In other words, any information that can be obtained by observing the execution of the protocol should also be able to be derived from the corresponding input–output pairs. If such a simulation cannot be achieved, it indicates that the protocol may have leaked information.
Definition 7. (Simulation-based security in ideal/real models): Suppose there are participants in the scheme . For the participant , their input in the scheme is , all the information collected in the scheme is , and their final output is . Then, the view of the participant is expressed as . Let the set represent any non-empty subset of the participant, then the view of the real world is defined as . The security is defined as follows: In an ideal world, there exists a simulator such that it holds the following equation for any set : . Then, the scheme satisfies the simulation-based security under the semi-honest model. indicates that it is computationally indistinguishable.
2.2. Asymmetric Homomorphic Encryption Algorithm Based on CSP and DLP
We propose an asymmetric encryption algorithm based on the CSP and DLP, following the comprehension of Definitions 1 and 2. This algorithm serves as the foundation for multiparty fully homomorphic encryption schemes.
Initialization: Setting the security parameter as , we invoke and to generate and , respectively. is constructed by extracting elements over the field to form a 6th-order matrix group. The order of is , and is a cyclic group of order with the generator .
Generating the public–private key pair
: Firstly, we extract
elements
from the group
. Secondly, each
is divided into four parts of random values,
, and constructed into a matrix
, where
is a 2nd-order matrix composed of random values:
Randomly selecting a matrix from , we generate . The public key consists of two parts: and , while the private key is represented by the matrix , and the matrix is an invertible matrix.
Public key encryption : Firstly, for the plaintext , it is split into a combination of public values, i.e., , where and are random values.
The ciphertext corresponding to the plaintext
can be expanded as:
where
,
is a 2nd-order random matrix,
is a 2nd-order zero matrix, and
.
Private key decryption : Performing the operation on the ciphertext matrix yields the plaintext matrix , as depicted in Formula . The plaintext is then obtained as .
The homomorphic properties of this algorithm are as follows:
- (1)
Homomorphic addition: Let and be the ciphertexts corresponding to plaintexts and , respectively:
where
, and after decryption,
+
+
+
+
+ (
+
+
+
)
+
. This result demonstrates that it satisfies homomorphic addition.
- (2)
Homomorphic multiplication: Let and be the ciphertexts corresponding to plaintexts and , respectively. During the multiplication operation, we require an auxiliary matrix to assist with the computation. In the considered encoding scheme, data point m is represented as a combination of four components. Therefore, the multiplication operation between 2 encrypted data points will generate a linear combination containing 16 items, where each item corresponds to the product between 2 components. In order to effectively construct this linear combination and ensure the correctness of the operation, an auxiliary matrix T is introduced to describe the composition structure of each term. This auxiliary matrix can be generated and provided by either party involved in the multiplication operation, thereby supporting the other party to efficiently complete the multiplication operation within the encryption domain:
where
, and
is a random 2nd-order matrix:
After decrypting the ciphertext
, we extract the plaintext matrix
. Here,
is composed of
, where
. Let
and
, then:
where,
. This result demonstrates that the algorithm satisfies homomorphic multiplication.
Theorem 1. Under the assumption of the discrete logarithm problem (DLP), the asymmetric homomorphic encryption algorithm based on the CSP and DLP is IND-CPA-secure.
Below is a game used to formalize the discussion of the attacker’s advantage: The adversary possesses knowledge of the public key and the ciphertext , where . For a probabilistic polynomial time (PPT) adversary , the difficulty in decrypting the ciphertext lies in computing the exponents in . Computing the exponents in is equivalent to computing the exponent in the discrete logarithm problem (DLP) .
If adversary mounts an attack on this scheme with a non-negligible advantage , then they could employ the same advantage to attack the DLP assumption. Since the DLP is computationally difficult, this scheme is considered IND-CPA-secure against PPT adversaries.
2.3. Secret Sharing Scheme Constructed by Span Program
In this section, we utilize the secret sharing scheme constructed by the span program [
29] to devise a secret splitting scheme for authorizing participating vehicles in the vehicular ad hoc network (VANET). The aim is to achieve the partitioning of authorization sets and authorization subsets within the VANET. The specific details are as follows.
Definition 8. (Span program): Let be a finite field, and be a matrix constructed over . Let be a set of Boolean variables. is a row labeling function for matrix , where , indicating that the -th row of is labeled with . The labeled matrix over is denoted as , representing a span program. Given a Boolean function with input , using input and the row labels , a submatrix of is constructed. The rule for constructing is to include rows labeled as if , or if . If all linear combinations of rows in result in the vector , it is denoted as . The span program accepts input . If accepts , then . If the row labels only include , then the span program is monotonic.
The secret splitting scheme constructed using a monotonic span program is as follows: Assume the secret is
, and there are
participants. Let
be a set, and
be the characteristic vector of the set
. If
, then the
-th bit of
is 1; otherwise, it is 0.
is the access structure that satisfies the secret splitting scheme. First, define a function
. If
is an authorized set, then
. Let
have
columns and randomly select a vector
from
, such that
. Compute the vector
, and label each row of
according to the row labels of
. Assign the value labeled as
to the corresponding participant
as their secret share. We achieve the partitioning of authorized and unauthorized sets on
, as described in [
30].
The process of secret recovery is as follows: Let
be the authorized subset, where
. If
, then
, implying the existence of constants
, such that
, where the vector
is extracted from
as the
-th row corresponding to participant
in the set
. The
participants in set
provide secret shares
for computation:
The details of the initialization algorithm, secret sharing algorithm and secret recovery algorithm of span program are presented in Algorithms 1–3.
Algorithm 1. M.SETUP [30] |
Input: participants denoted as Output: access structure publicly disclose matrix 1: Consider participants denoted as . Establish an access structure and construct and publicly disclose matrix . |
Algorithm 2. M.SHARE [30] |
Input: secret Output: secret vector 1: 2: Compute , and send shares to participant as . |
Algorithm 3. M.RECONSTRUST [30] |
Input: authorized subset Output: secret 1: 2: Calculate and output based on constants .
|
Let the secret be
, and a random vector
is selected. The secret share is
. Suppose set
is an unauthorized set, holding secret shares
. Then, all linear combinations of rows in
cannot form the vector
, i.e.,
. Therefore, the vector
is independent of all row vectors in
, implying
. Consequently, there exists a vector
related to vector
, such that
, and
. For any
, let
, then we have:
From Formulas and , we obtain and , indicating that the secret share held by set is also a secret share of . Due to the randomness of , the secret corresponding to the secret share is also random. Therefore, one secret share corresponds to multiple secrets, which are statistically indistinguishable.
3. System Model
In this section, building upon the foundation laid in
Section 2.2, we extend the asymmetric homomorphic encryption algorithm based on the CSP and DLP. We expand this algorithm to support multiparty homomorphic encryption, enabling multiple participants to collaboratively engage in computations. Subsequently, we employ a secret splitting scheme to partition authorized and unauthorized sets. After private key recovery, we utilize multiparty computation protocols to refresh the public–private keys and the secrets held by participating entities, thereby ensuring the security of each computation.
3.1. The Implementation Scheme of Multiparty Homomorphic Encryption
Initially, vehicle participants collaborate to generate security parameters and the field . A participant then invokes and to generate groups and , respectively. Subsequently, using , public values, matrices, and the public matrix are generated. Additionally, each participant computes their secret . then computes . After rounds of communication, collectively, they generate , where . Finally, the public key is , and the private key is . Each participant holds their respective secret .
The
vehicle participants utilize the span program
to share the secret
. By employing the matrix
, they partition the authorized set. Participant
computes the secret vector
and sends the corresponding shares to other participants
. Subsequently, each vehicle can encrypt plaintext using the public key and perform homomorphic operations on the ciphertext. Finally, the vehicles in the authorized set reconstruct the secret
to obtain the correct computation result after decryption. The details of the initialization algorithm, encryption algorithm and decryption algorithm of the multiparty homomorphic encryption algorithm are presented in Algorithms 4–6.
Algorithm 4. MHE.SETUP |
Input: participants denoted as Output: 1: negotiate and generate the common parameters: . runs and to generate groups and . executes to generate public values, matrices, the public matrix , and secret . 2: After rounds of communication, are generated, where and each . Finally, 3: Run M.SETUP, each run M.SHARE(). |
Algorithm 5. MHE. ENCRYPT |
Input: plaintext , Output: ciphertext 1: Generate and output the ciphertext (Formula (8)) |
Algorithm 6. MHE.DECRYPT |
Input: ciphertext , authorized subset Output: plaintext 1: Run M.RECONSTRUST() to obtain the private key . 2: Compute and then output . |
The sequence diagram in
Figure 3 depicts a three-party multiparty homomorphic encryption protocol, where Participants 1 and 3 form the authorized decryption set. Initially, all participants engage in the MHE.SETTUP to negotiate shared algorithmic parameters and securely generate individual secret shares, followed by collaborative computation of a collective public key. Homomorphic operations are then executed on the ciphertexts in the encrypted domain, maintaining data confidentiality throughout the process. To recover the plaintext, Participants 1 and 3 collaboratively reconstruct Participant 2’s secret share via the span program. Participant 1 combines its own secret with the reconstructed share to calculate the partial decryption of the ciphertext and transmits it to Participant 3, who also performs the same operation. The partially decrypted results are exchanged between the two authorized parties, who then apply their respective secret computations to derive the final plaintext, ensuring that only the authorized set can reconstruct the sensitive data.
After completing the initial round of computations, since the private key
has been exposed after decryption, it is necessary to refresh the public–private keys. The key refreshing process is illustrated in Algorithm 7.
Algorithm 7. MHE.KEYSWITCH |
Input: new secret shares Output: 1: Each participant individually generates new secret shares Additionally, compute . 2: collectively compute on the public key, as follows: resulting in |
Figure 4 shows the sequence diagram of the three-party key refreshing algorithm. Participants collaborate to execute the key refreshing algorithm to update the public and private keys while maintaining security and confidentiality.
3.2. Multiparty Homomorphic Encryption Algorithm Security Analysis
In the IoV, the transmission of information is susceptible to attacks due to its open environment. Hence, it is imperative to ascertain whether the security of the proposed model is guaranteed during transmission. Moreover, the multiparty homomorphic encryption scheme publicly exposes the matrix , with the secret serving as the private key. Therefore, further analysis of the security of this scheme is necessary. The discrete logarithm problem implies that, given the public key, adversaries cannot decipher the private key. However, this does not suffice to establish the IND-CPA security of the scheme. Hence, a stronger assumption is required.
Theorem 2. Under the DDH assumption, the multiparty homomorphic encryption scheme based on the CSP and DLP is IND-CPA-secure.
Suppose a probabilistic polynomial time (PPT) adversary attacks the IND-CPA security of the multiparty homomorphic encryption scheme based on the CSP and DLP. This implies that adversary inputs plaintexts and , obtains ciphertext , and outputs a guess . If , then succeeds, denoted by .
We now utilize adversary
’s attack on the multiparty homomorphic encryption scheme to construct adversary
’s attack on the DDH assumption. According to the DDH assumption, elements are sampled from the matrix group
to form quadruples
and
, where
is the generator of group
. The adversary
’s input is
. The construction of
is as follows:
If the output is 1, then guesses that the quadruple is the quadruple . If the output is 0, then guesses that the quadruple is the random quadruple .
Assertion 1. ’s simulation executed for is correct and complete.
When
,
, where
is randomly chosen. For
, this scenario is equivalent to the public key used in the multiparty homomorphic encryption scheme. Due to the difficulty of the discrete logarithm problem (DLP),
cannot be directly computed. When
, based on the conjugate search problem (CSP), it is computationally difficult to directly compute the matrix
. Consequently, it is not feasible to verify whether
is independent of
. Therefore, adversary
cannot distinguish whether the game is constructed by the simulator. Assertion 1 is thus established.
Proof of Theorem 2. When , , where is randomly chosen. For adversary , the public keys and distribution of ciphertexts is identical to that in the execution of the multiparty homomorphic encryption scheme based on the CSP and DLP. Therefore, the probability of success for is equal to the probability of outputting 1, i.e., . When , is a randomly sampled element from the group and is independent of . For adversary , based on the definition of the CSP, it is computationally difficult to determine solely knowing . Hence, has no information about and can only guess with a probability of . Therefore, , .
Since and are equivalent events, the quantity aligns with the definition of advantage in Definition 3. Specifically, , if adversary attacks the multiparty homomorphic encryption scheme with a non-negligible advantage , then adversary can use adversary to attack the DDH hypothesis with the same advantage. □
3.3. System Security Analysis
Since the security analysis of the multiparty homomorphic encryption algorithm is based on the difficult assumption definitions of the CSP and DLP, and the security analysis of this algorithm has been provided in the previous section, it is only necessary to analyze from the perspective of the participants and prove that the data uploaded by each participant are secure for any participant. The proof method adopts the ideal/real model analysis method, considering that all the participants are semi-honest models and will complete the calculation goals according to the process of the scheme.
To prove that the rival participant cannot infer the information from the encrypted data, it is only necessary to prove that the encrypted values and random values received by the rival participant are computationally indistinguishable. Since the encrypted data are based on the security analysis of multiparty homomorphic encryption, the encrypted values are computationally indistinguishable to the rival participant.
The security of communication in the scheme has been guaranteed by multiparty homomorphic encryption security, so it is proven that only the rival participant needs to be modeled. To construct a simulator , takes the rival participant as the ideal rival of the subroutine. In the real world, interacts with the rival participant as a normal participant. In addition, can perform the generation of real model encryption with a trusted third party (TTP). During the simulation process, the simulator acts as a semi-honest participant, and the process is described as follows:
- (1)
The simulator generates real encrypted data by interacting with the TTP.
- (2)
The simulator sends the results to the rival participant. There are two situations for this sending:
- (1)
sends the real encrypted data to the rival participant.
- (2)
selects a random number r to form plaintext data composed of random values and encrypts it with the same public key to obtain the encrypted data .
During the simulation process, the view information obtained by the rival participant is as follows:
In the real world, the messages received by the rival participant are obtained by the participants executing the actual scheme. However, in the ideal world, these messages are generated by the simulator . Since the messages received by the rival participant in both the real world and the ideal world are ciphertexts obtained through public key encryption, based on the semantic security of the algorithm, ciphertexts and are computationally indistinguishable. That is, . Therefore, in the scheme, the rival participant is unable to distinguish whether the message is sent by simulator , and thus cannot distinguish between the ideal world and the real world. The views of both satisfy Definition 7 for rival participants.
During the ciphertext decryption stage, semi-honest users do not disclose the recovered part of the private key when restoring it. Instead, they decrypt the ciphertext in the same way as during the keyswitch stage. Different authorized users hold different parts of the private key, thus ensuring that authorized users do not decrypt the original data uploaded by other users.
The span program is similar to the threshold scheme based on linear secret sharing. If there is a certain number of malicious nodes in the vehicle, for the collusion attack of malicious nodes, the authorization set is divided based on the span program. If the malicious opponent does not reach the number of the authorization set, then the data cannot be decrypted.
4. Experimental Analysis
In this section, we will evaluate the proposed multiparty homomorphic encryption algorithm from various perspectives, including computational efficiency and communication overhead, and analyze its suitability for applications in vehicular networks.
Our experimental setup is illustrated in
Figure 5, where vehicles are equipped with Nvidia Carmel ARM v8.2 64-bit CPUs with 8.0 GB RAM, and the server is configured with an 11th Gen Intel(R) Core(TM) i5-11400F CPU with 32.0 GB RAM and an Ubuntu 18 operating system.
In the experiment, we first compared the proposed multiparty homomorphic encryption scheme with mainstream homomorphic encryption schemes to analyze its suitability in vehicular networks by comparing encryption and decryption times, addition and multiplication times, and ciphertext size. The experimental setup of this study mirrors that of [
20]. We utilized the publicly available Palisade homomorphic encryption library to run the following schemes: CKKS [
31], BGV [
32], BFV [
33], and TFHE [
34]. The security level of the mainstream schemes was set to 128, and the results are presented in
Table 1.
Although the proposed CSP scheme is theoretically grounded in matrix operations—potentially introducing higher computational complexity—its practical implementation demonstrates a significantly smaller security parameter
compared to other schemes at equivalent security levels. In homomorphic encryption, the role of
varies across paradigms: in BGV/BFV,
defines the modulus-switching hierarchy by determining the polynomial ring dimension, where larger
enhances security but escalates computational overhead. In CKKS/TFHE,
acts as the polynomial basis degree, trading improved parallel performance for exponential growth in ciphertext size and memory consumption. In contrast, the CSP defines
as the matrix dimension. As formally stated in Definition 1 and rigorously proven by Begelfor [
28], the group factorization problem achieves super-polynomial complexity in classical models when
, whereas mainstream schemes like BGV/BFV require
to attain comparable security. This characteristic gives the CSP a significant advantage in parameter scale, and the experimental results will also be better.
From
Table 1, it can be observed that the encryption and decryption speeds of our proposed scheme were much lower compared to the CKKS, BGV, and BFV schemes, but comparable to the TFHE scheme. In homomorphic addition operations, our scheme outperformed several schemes, including the faster BFV, by being approximately 10 times faster, with an average time of less than 10 µs. Regarding homomorphic multiplication operation, our scheme outperformed existing homomorphic encryption schemes by a significant margin. In the IoV, the computational capabilities of vehicle devices vary. To better adapt to vehicle computing devices, it is essential to have a homomorphic encryption algorithm with low encryption and decryption times, as well as low addition and multiplication computation overhead. Our proposed scheme demonstrated lower computational overhead across various aspects compared to other mainstream homomorphic encryption schemes.
Furthermore, in terms of ciphertext size, our scheme’s ciphertext size was much smaller than the other three schemes, being only larger than TFHE, but still less than 1 KB in size. Considering the inherent instability and dynamism of vehicular networks, the size of transmitted data must be kept small to avoid network congestion. Our scheme’s ciphertext size was relatively small compared to other schemes, making it more suitable for communication in vehicular networks.
As shown in
Table 2, the communication load of the CSP scheme remained within the MB range, which is much smaller than that of other homomorphic encryption schemes. Although TFHE operates at the KB level, its computational load is large, so it has no advantage in the internet of vehicles scenario. Therefore, in the internet of vehicles environment, considering the computing load and communication load comprehensively, the CSP has more advantages.
The above content compared the basic modules of the multiparty homomorphic encryption scheme with mainstream homomorphic encryption schemes. In the following experiments, we compared it with the most efficient setting in the existing fastest scheme [
13], and the results are shown in
Table 3. We set a total of
vehicles, and the maximum number of authorized subsets was denoted by
. In the initialization phase of the multiparty homomorphic encryption algorithm, the overall time overhead was less than that of existing schemes, and it did not increase with the increase of
. In the multiparty decryption phase of the multiparty homomorphic encryption scheme, when the number of subsets
was less than 15, the decryption speed was lower than that of existing schemes. For scenarios with vehicles having low computational capabilities in the IoV, our proposed scheme, due to its low computational overhead, can also perform well.
The practical utility of multiparty homomorphic encryption schemes was assessed by conducting experiments built upon the framework outlined in [
21]. We ran federated learning code on the experimental equipment using a dataset provided by the Kaggle website, consisting of images of non-emergency and emergency vehicles. The experimental goal was to classify emergency and non-emergency vehicles. In the experiment, we compared whether the gradients were encrypted using the FedAvg algorithm [
35] to test the effectiveness of the multiparty homomorphic encryption scheme in the internet of vehicles. The experimental results are shown in
Figure 6. After 25 rounds of training, the accuracy of the test dataset remained at a high level. For federated learning with the same number of clients, using the multiparty homomorphic encryption scheme had little impact on the convergence of training.